spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] Re: nobody @ xyzzy

2006-02-22 07:15:22
from [Dick St.Peters] [Permanent Link] 
John Kelly writes:


Then I ran across sid-milter, and technically, it looked better to me,
so that's what I chose.  OTOH, it combines SPF with sender-id.


Disabling the PRA check is a trivial code change.  I used to maintain
a sid-milter patch that was partly to expand the range of modes of
operation, including an option to make the PRA check not use v=spf1.
An option not to do PRA at all would be even simpler.  If I ever make
a patch for 0.2.10, maybe I'll include such an option.

However, turning off the PRA check would still leave sid-milter doing
a Sender-ID-style SPF check, which currently differs from that done by
spf-milter (no ehlo/ehlo check, for example).


I don't see any way to configure it to fail on SPF only, and ignore
sender-id failures.  It has these configuration levels:

  0  accept all mail
  1  reject if _both_ sender-id and SPF fail
  2  reject if _either_ sender-id or SPF fail
  3  reject unless _either_ sender-id or SPF pass
  4  reject unless _both_ sender-id and SPF pass
  5  reject mail for which a "pass" from either test overrides a
     "fail" from the other

I can't use option 1, because SPF could fail while sender-id is
neutral, and then I would not detect the SPF failure.  I can't use
option 3 or 4, because if both SPF and sender-id are neutral, that
would produce an unwanted rejection.

5 doesn't make sense to me.  Maybe they were trying to say either one
passing will override a failure of the other, but  "reject mail" seems
to confuse that.  Maybe that's just a documentation bug.


It's a documentation bug.  5 was picked up from my patch, and the
description should be "reject mail on a fail from either test unless
the other test returns a pass."

A simple but inefficient way not to use the PRA check would be to set
its result to neutral before the rlevel test at about line 1970 in
sid-filter/sid-filter.c: add a line 
                    sid_result = SM_MARID_NEUTRAL;
This would still pay the price of evaluating the PRA check, but the
result wouldn't be used.

--
Dick St.Peters, stpeters(_at_)NetHeaven(_dot_)com 

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] Microsoft's spf record format, dejanspf
Next by Date:  Re: [spf-discuss] Microsoft's spf record format, Jeff Macdonald
Previous by Thread:  Re: [spf-discuss] Re: nobody @ xyzzy, paddy
Next by Thread:  [spf-discuss] sid-milter, John Kelly
Indexes:  [Date] [Thread] [Top] [All Lists]